What is Smishing and How to Defend Against it?

A nefarious text message could be on its way to a smartphone near you. This is a message, often purporting to be from your bank asking you for personal or financial information such as your account or ATM number. Providing the information is as good as handing thieves the keys to your bank balance.

Smishing is a portmanteau of "SMS" (short message services, better known as texting) and "phishing." When cybercriminals "phish," they send fraudulent emails that seek to trick the recipient into opening a malware-laden attachment or clicking on a malicious link. Smishing simply uses text messages instead of email.

What Smishermen Use as Bait

Texting is the most common use of smartphones. Experian found that adult mobile users aged 18 to 24 send more than 2,022 texts per month—on average, that's 67 per day—and receive 1,831.
A couple of other factors make this a particularly insidious security threat. Most people know something of the risks of email fraud. You've probably learned to be suspicious of emails that say "Hi—check out this cool link," and don't contain an actual personal message from the supposed sender.

When people are on their phones, they are less wary. Many assume that their smartphones are more secure than computers. But smartphone security has limitations, and cannot directly protect against smishing. As noted by WillisWire, cybercrime aimed at mobile devices is rocketing, just as mobile device usage is. However, while Android devices remain the prime target for malware—simply because so many of them are out there; and the platform offers greater flexibility for customers (and cybercriminals!)—smishing, like SMS itself works cross-platform. This puts iPhone and iPad users at particular risk because they often feel they are immune to attack. Although Apple's iOS mobile technology has a good reputation for security, no mobile operating system can by itself protect you from phishing-style attacks. Another risk factor is that you use your smartphone on the go, often when you're distracted or in a hurry. This means you're more likely to get caught with your guard down and respond without thinking when you receive a message asking for bank information or to redeem a coupon.

What Smishermen Are After

In a nutshell, like most cybercriminals, they are out to steal your personal data, which they can then use to steal money—usually yours, but sometimes also your company's. Cybercriminals use two methods to steal this data. They might trick you into downloading malware that installs itself on your phone. This malware might masquerade as a legitimate app, tricking you into typing in confidential information and sending this data to the cybercriminals. On the other hand, the link in the smishing message might take you to a fake site where you're asked to type sensitive personal information that the cybercriminals can use to steal your online ID.

As more and more people use their personal smartphones for work (a trend called BYOD, or "bring your own device") smishing is becoming a business threat as well as a consumer threat. So it should come as no surprise that, according to Cloudmark, smishing has become the leading form of malicious text message.

Protect Yourself

The good news is that the potential ramifications of these attacks are easy to protect against. In fact, you can keep yourself safe by doing nothing at all. The attack can only do damage if you take the bait. There are a few things to keep in mind that will help you protect yourself against these attacks.

• You should regard urgent security alerts and you-must-act-now coupon redemptions, offers or deals as warning signs of a hacking attempt.
• No financial institution or merchant will send you a text message asking you to update your account information or confirm your ATM card code. If you get a message that seems to be from your bank or a merchant you do business with, and it asks you to click on something in the message, it's a fraud. Call your bank or merchant directly if you are in any doubt.
• Never click a reply link or phone number in a message you're not sure about.
• Look for suspicious numbers that don't look like real mobile phone numbers, like "5000". As Network World notes, these numbers link to email-to-text services, which are sometimes used by scam artists to avoid providing their actual phone numbers.
• Don't store your credit card or banking information on your smartphone. If the information isn't there, thieves can't steal it even if they do slip malware onto your phone.
• Refuse to take the bait—simply don't respond.
• Report all smishing attacks to the FCC to try to protect others.

Remember that, like email phishing, smishing is a crime of trickery—it depends on fooling the victim into cooperating by clicking a link or providing information. Indeed, the simplest protection against these attacks is to do nothing at all. So long as you don't respond, a malicious text cannot do anything. Ignore it and it will go away.